- Navigating Smart Home Data Security Concerns
- Improper Data Use Looms Over the Internet of Things
- Solution Providers Respond to Smart Home Data Security Concerns
- Designing Connected Home and Building Solutions with Data Security in Mind
- Collecting Data Presents New Business Opportunities
- Data Security Begins at Collection
- Smart Home Devices and Privacy Risk – Risk Management
Navigating Smart Home Data Security Concerns
The connected homes and buildings that were once considered science fiction are finally seeing the light of day. However, now that a connected future is here, consumers are slow to adopt the technology and skeptical about the devices furnishing their surroundings. In many cases, they are worried about smart home data security—and rightly so.
Consumers become warier about smart home data security with every breach. When you consider the frequency of data breaches around the world—be they at a credit card company, a store or a website—it’s easy to understand that consumers have plenty of cause for data security concerns.
Data breaches are becoming frequent. Gemalto Security’s Breach Level Index reports that the total number of records breached every second, minute, day and hour nearly doubled from 2016 to 2017. It also estimates that more than 9.7 billion records have been lost or stolen in the last five years.
Improper Data Use Looms Over the Internet of Things
In addition to data breaches, there are also instances of improper data use. Earlier in 2018, was involved in a controversy related to how Cambridge Analytica obtained, used, and allegedly retained information about 87 million users, according to CNBC. Considering the massive amounts of data received by the platform, it’s easy to understand consumers’ concern.
In light of all of this, some consumers are approaching connected devices with extra caution—especially when data-collecting technologies pervade every nook and cranny of our daily lives: work and play a.
Before consumers bring these smart devices into their homes, they want to ensure their personal information and data will be secure. In addition, they want to feel confident that Wi-Fi enabled devices—e.g.
, smart thermostats or security cameras—won’t inadvertently give malicious actors easy access to their homes. The IoT revolution comes with risks—but risks we can address.
Solution Providers Respond to Smart Home Data Security Concerns
Recent events also have changed the way manufacturers think about collecting data from consumers.
In Jabil’s 2018 Connected Home and Building Technology Trends Survey, 69 percent of participants noted that the recent focus on data privacy has made them rethink their plans to collect and use data from smart devices.
This trend was even stronger for companies that manufacture connected devices for consumer use, probably because both recent events dealt with consumer information.
The European Union’s (EU) General Data Protection Regulation (GDPR), which took effect in May 2018, requires all companies that do business online with or market to individuals in the EU to take extra steps to protect users’ personal information. At its core, the regulation requires companies to:
- Explain what user data will be collected and how it will be used
- Require individuals to give clear consent to have their data collected
- Allow individuals to submit requests to have their data deleted
- Safeguard any collected data and promptly notify users of data breaches
Although the rule was created by the EU, it applies to all companies around the world that are trying to connect with people in the EU.
In response to these events, of those solution providers rethinking plans to collect and use data, 55 percent said they will monitor market sentiments to understand what their consumers find acceptable when it comes to data security. Sixty-two percent said they will be more careful about rules and regulations governing data security and privacy.
Although the GDPR has furthered the discussion about data privacy, no additional regulations have been enacted yet. Most countries do not have any regulations guiding the Internet of Things (IoT) or protecting consumer data. In the U.S.
, there are some guidelines for how a connected device should be designed, but there are no mandates to follow these guidelines.
However, considering the growing number of data security issues, governments worldwide could conceivably choose to step in and add regulations to protect consumers.
Designing Connected Home and Building Solutions with Data Security in Mind
Due to the fact that there are currently no minimum requirements for smart devices, there isn’t a standard of implementing cybersecurity into these devices. Many manufacturers approach cybersecurity from a cost and value perspective.
If the cost of adding a data security chip outweighs the value the company will gain for the added feature, the designer will not add it to the product.
Similarly, if the end-user is not willing to pay more for a high-security device, the manufacturer does not stand to financially gain very much from incorporating extra cybersecurity protocols. Clearly, we need to develop better standards for smart home data security protocols.
One less costly security option that we’re experimenting with at Jabil is using digital authentication certificates. This method does not add a hardware cost to the product. Instead, these certificates are codes that you can inject into the products at the factory-level during production. The codes digitally certify the products and create a secure link with the receiving end.
As the IoT market evolves and more consumers are willing to convert to connected homes, market demand for cybersecurity features will undoubtedly increase, which will give manufacturers the justification they need to build more secure products.
Collecting Data Presents New Business Opportunities
Despite its risks and challenges, data collection can be beneficial to both solution providers and consumers.
Nearly 60 percent of Jabil survey respondents said they plan to use collected data to identify and solve problems with devices and connectivity.
More than half plan to use it to understand user behavior and guide product development, while 45 percent will use it to provide reports to end-users. In these cases, data collection will beget better user experiences.
Data collection goes beyond improving user experiences. Device manufacturers also see opportunities to use data to build new revenue streams:
- 34 percent of participants plan to connect the big data to retailer databases for cross-selling and cross-branding opportunities
- 31 percent want to use the information for marketing and thought leadership insights
- 25 percent plan to sell the data to determine supply and demand trends
These strategies also have some value for consumers. For example, a smart refrigerator participating in a cross-selling program could remind a consumer that they are running low on milk and offer coupons or advertisements for sales at local stores. This adds a level of convenience for the consumer.[bctt tweet=”As the IoT market evolves and more consumers are willing to convert to connected homes, market demand for cybersecurity features will undoubtedly increase, which will give manufacturers the justification they need to improve it.” username=”iotforall”]
However, if brands plan to share and sell consumer data, it’s important to make the consumer aware of how their data will be used. According to a 2018 survey of 2,000 U.S. consumers by enterprise technology provider Ooma, 72 percent of people who already have smart home data security systems worry their providers will use the devices to invade their privacy.
Manufacturers could take a page from the GDPR and include clear, easy-to-understand terms and conditions with their connected home and building solutions that explain the risks and benefits of the device’s data collection approach. This can help build greater trust between users and the device, plus help the users better enjoy the convenience the system provides.
Data Security Begins at Collection
When asked about their plans, 99 percent of solution providers agree that their products will collect data. However, there is no consensus on where this data will be stored.
About two-thirds plan to store the data on the connected device itself, which is the most frequently reported form of data collection. But it’s also common for the data to be collected in the cloud, in on-premises infrastructure or on a local device such as a smartphone or laptop.
Solution providers will need to take the necessary steps to ensure data is secure and private—no matter where it’s housed.
There are always going to be skeptics who choose to opt the latest smart devices for privacy reasons, fearing smart home or smartphone data security breaches, but it’s unly that these individuals will be in the majority.
If you think back 10 years ago before really rose in popularity, most consumers would not have been comfortable telling people that they are away from home and staying at a certain hotel. Now, there are 70 billion transactions happening on it every day.
This has changed the way people interact with the world and made them more comfortable sharing their world with close friends, acquaintances, and even strangers. In just a few short years, more consumers will be accustomed to connected devices in their homes as well.
Smart home data security is definitely a major concern, but it’s an issue we can navigate collectively as change-makers.
Written by Sam Salem, Senior Director – Technology and Strategic Development, Connected Consumer Technologies, Jabil. This post originally appeared on the Jabil Blog.
- Consumer Products
- Data Analytics
- Smart Home Automation
- Consumer Products
- Data Analytics
- IoT Business Strategy
Smart Home Devices and Privacy Risk – Risk Management
Internet-connected products have become enmeshed in many aspects of daily life, both at home and in the workplace. According to the consumer trends research firm Park Associates, 36% of homes with a broadband internet connection have a smart speaker, and 8% have a video doorbell, with another quarter of respondents saying that they plan to buy a video doorbell in the future.
While “smart home” or internet of things (IoT) devices have become more prevalent and may make everyday or business tasks more convenient, they also diminish consumers’ privacy and introduce serious risks, for both users and device developers and manufacturers.
With connected devices, the connection goes two ways. When consumers bring internet-connected devices into their homes or businesses, the companies behind the devices gain access to a wealth of information about those consumers.
Companies often do not explicitly disclose all of these practices to users, quietly harvesting, analyzing and sometimes selling their data to third parties advertisers.
As the devices are used in more settings every day from homes to offices, this data can include everything from recordings of deeply personal interactions to proprietary business information.
In the process, developers risk running afoul of new privacy regulations and possibly losing consumer trust when the public discovers the extent of their activities. This could have serious ramifications, including millions (or even billions) of dollars in fines and reputation damage that can crater revenue.
Of the reasons Park Associates survey respondents cited for not buying such devices, only 25% chose privacy and security concerns, but that may soon change. A recent wave of news stories revealed that employees and contractors associated with many of these products have been accessing, analyzing and storing customer recordings, sometimes without even their tacit consent, including:
After revelations that Amazon had thousands of human beings listening to and transcribing audio from its home devices, the company admitted that it keeps some audio and transcripts indefinitely, sometimes even after customers try to delete them manually.
Not only that, but Amazon contractors reportedly shared particularly amusing or disturbing clips with each other and even saw user locations paired with those recordings.
The company’s privacy documentation does not explicitly disclose that human beings are listening to user audio.
Researchers also found that the company’s Echo Dot Kids Edition could collect recordings of a child speaking about her private health information and address, and when parents attempted to delete the information (as Amazon said they could), the device still retained it.
And in January, The Intercept revealed that Amazon’s video doorbell company Ring provided a research and development team based in Ukraine with unencrypted access to every video from all Ring cameras worldwide for analysis and annotation, partially to strengthen its facial recognition software.
The Guardian reported in July that Apple used external contractors to review recordings from its voice-activated assistant, Siri, which can be easily activated by accident by saying words that sound similar to its name.
Apple contractors had access to Siri recordings, including audio of “confidential medical information, drug deals, and recordings of couples having sex.” A whistleblower told reporters that the audio is linked to user information including location, contact details and app usage.
Similar to Amazon, Apple does not clearly state that contractors may be listening to users’ audio.
The social media giant hired hundreds of contractors to transcribe audio from the Voice to Text feature of its Messenger service.
Additionally, the company said that if one person consented to transcription, both sides of the conversation would be transcribed.
While Voice to Text is an optional feature that users may turn off, it is switched on by default and did not disclose that human beings would have access to users’ recordings, claiming only that “Voice to Text uses machine learning.”
Apple’s Siri, Google’s home assistant is often triggered by accident, not just by saying “Okay Google” or “Hey Google,” as advertised.
Belgium-based VRT News revealed in July that human beings were processing the audio Google recorded (accidentally or intentionally).
While the company claimed it removed identifying information from the recordings, a whistleblower provided VRT reporters with audio clips that clearly contained users’ addresses as well as other personal information.
In August, Motherboard reported that contractors were transcribing audio from online communication platform Skype’s Translator service, which provides nearly instant translations during calls.
While Motherboard’s reporting focused on the types of personal information contractors could hear, Skype is used in a variety of settings, including for business calls that may contain proprietary or sensitive information.
Microsoft also had contractors transcribing user audio from its virtual assistant, Cortana, as well as the video game console Xbox, which has some voice command functions connected to Cortana.
Many of these practices are technically within the bounds of the devices’ user agreements, and the companies claim they only used human review to improve the devices’ ability to understand speech.
The companies have also repeatedly emphasized the low number of conversations reviewed by human beings.
Yet these disclosures pose serious questions about the limits of privacy for connected households and businesses and the risks in using these devices.
Since the news broke, Amazon has added an opt-out option. Apple said it has paused human review, that it will let customers choose to opt out, and that only Apple employees will have access to recordings.
Similarly, Google added opt-out options and paused human review, but only in Europe. also said that it has paused human review of its Voice to Text feature.
Nevertheless, regulators in Europe and the United States are taking notice. The European Union’s sweeping General Data Protection Regulation (GDPR) maintains stringent rules for data privacy in the EU, and some of these activities may be beyond its boundaries.
Ireland’s Data Protection Commission, which leads the EU regulation of , has been investigating the company on other matters, and is now seeking information about whether ’s handling of user recordings is GDPR compliant.
Similarly, Luxembourg’s data privacy regulator has asked Amazon to provide information about Alexa, but has not commented further on its investigation.
In the United States, meanwhile, Senators Ed Markey (D-MA) and Josh Hawley (R-MO) questioned ’s collecting and sharing of user recordings. Hawley inquired on in August whether the practice violates ’s recent FTC settlement, which imposed stricter privacy guidelines.
Representative Seth Moulton (D-MA) introduced the “Automatic Listening Exploitation Act” in July, which would fine companies up to $40,000 whenever a device (including video doorbells) stores or makes a recording of a user or transfers that recording to a third party without the user’s explicit consent.
It would force companies to allow users to delete any transcript or recording from their device and the company’s files permanently.
A bipartisan group of senators also wrote to the Federal Trade Commission (FTC) asking it to investigate whether Amazon’s Echo Dot Kids Edition violates the Children’s Online Privacy Protection Act (COPPA) by not complying with its parental consent provision, which requires companies to specify what data is being collected, how the company uses it and whether/how it is shared with third parties. Additionally, the senators noted that the device may violate COPPA by not allowing parents to fully delete their children’s private information.
FTC investigations of COPPA violations have hit multiple tech companies this year: In February, the FTC fined Chinese app company Music.ly (now known as TikTok) $5.
7 million for violating COPPA by collecting children’s information without parents’ consent.
In September, the FTC also fined Google and a record $170 million for collecting children’s data to profit by selling the data for targeted ads.
For consumers, one way to avoid any potential privacy invasion might be simply refusing to use “smart home” internet-connected devices and digital assistants. But as the devices become more prevalent, opting out may not be a viable option for long, especially as manufacturers develop new applications for business use.
As reported by the Wall Street Journal, “Amazon’s Alexa Smart Properties team, a little known part of its Alexa division, is working on partnerships with homebuilders, property managers and hoteliers to push millions of Alexa smart speakers into domiciles all across the U.S.
” The partnerships makes sense: Amazon gets new users and their data, and property managers get discounted hardware (amenities to entice or keep potential buyers/renters) and access to information that allows them to analyze and predict their residents’ actions, such as signs of whether they are ly to renew their lease.
Amazon has plans to make its devices part of everything from stadiums and hotels to hospitals and retirement homes. Meanwhile, Google is making a similar push into the real estate market.
As these devices proliferate, manufacturers should disclose and offer clear ways to opt features that may violate privacy to protect themselves from regulation, fines, lawsuits and bad publicity. And consumers—including businesses that increasingly use these devices and programs—will have to weigh the benefits of possibly sacrificing some degree of privacy for convenience.